parreet 4 





Texts of Plessey papers presented at the 
International Switching Symposium 


Massachusetts Institute of Technology 


Cambridge, Mass., U.S.A. — June 6-9 1972 


Papers 
Operating System of System 250 D.M. England 
Tne Operational Requirements for J.M. Cotton 
Future Communications Control 
Processors 
Hardware of the Svstem 250 D. Halton 


for Communication Control 


Telephone Switching based | W.AC. Hemmings 
on System 250 


fecunical Literature B.7204/1 


Plessey, Taplow Court 
Plessey, Taplow Court 


Plessey, Poole, Dorset 


Plessey, Liverpool 


Printed in Great Britgin 











OPERATING SYSTEM OF SYSTEM 250 


DM. England 


Plessey Company Ltd. 
Taplow Court, Maidenhead, 
Berks. England. 


Abstract 


The paper describes the Operating System of System 250 in 
terms of a series of abstractions achieving logical facilities con- 
venient to the applications programmer and a unique Software 
interface between applications and operating systems code. 


LEVELS AND ABSTRACTIONS 


1. Inanow classical paper on computer operating systems, 
Edsger W. Dijkstra postulates an operating system constructed 
as a series of layers or levels. Each level has two significant 
characteristics, the present paper being more concerned with 
the second:- 


(1) 


It offers a set of facilities to all higher levels in the 
operating system's hierarchy, enabling it to be built 
up layer by layer. 

It achieves some abstraction; some physical hardware 
entity (e.g. storage devices) is transformed into some 
smooth, logical, abstract entity (e.g. virtual memory) 
that is, moreover, altogether easier to manipulate. 


2. Theeffect of Dijkstra’s abstractions is as follows:- 


(1) 


(3) 


(4) 


At the bottom of the hierarchy rests the responsi-" 
bility for scheduling processor time, allocating pro- 
cessing power tu the competing programs able to run 
Above this level, each program believes that it has a 
processor to itself; so long as it is furnished with the 
processing power it needs, the fact that if shares a 
processor with others can be disregarded. 

The “‘segment controller” draws a veil over the bourr. 
dary between the main store and the disk. Above this 
level, a program simply asks for a “‘store segment”’ to 
be illocated. When the program tries to use this store 
segment, the segment controller ensures that it is 
available in main store. When an allocated store ses- 
ment is not being used the segment controller trans- 
fers it onto the disk until it is next used. 

Programs higher than level 2 can converse with the 
operator yia the console keyboard. Each program be- 
hieves itself to be in sole communication with the 
operator and oblivious of simultaneous conversations. 
The software at level 3 is concerned with buffering 
input data streams and unbuffering output data 
streams, between the actual peripheral devices and 
the programs which process the data. Above this 


(5) 


level actual communication devices lose their identity, 
and programs communicate with the outside world 
through the medium of “logical communication 
units”. 

The independent sets of user programs can now reside 
in their private worlds, furnished in abstractions, 
whilst in reality they play a game of cox and box with 
the real resources of the processing system. 


3.  Threefold advantage ts to be gained by this series of 
abstractions:- | 


(1) 


(2) 


(3) 


The system is enabled to perform a variety of jobs 
simultaneously and without any interaction between 
them, making maximum use of the physical resources 
available. | 

The user programs, which are after ail the raison 
d’etre of any processing system, are rendered indepen- 
dent of system hardware and thus robust to changes 
in the configuration and capacity of the equipment 
employed. | 
Simplification of the user programs is achieved to the 
extent that they are concerned solely with the mani- 
pulation of convenient abstract entities whose be- 
haviour is entirely logical and consistent. 


3 COMMAND INTERPRETER 


INPUT/OUTPUT STREAM MAMDLEAS 


PROCESS ALLOCATOR / MAMAGER 


STORE ALLOCATORN! MANAGER 





frond 


. BROAD STRUCTURE OF SYSTEM 250 
OPERATING SYSTEM 





AIM OF THE PAPER 


4. The PP250 Operating System is constructed as a series of 
Jevels, a hierarchy of subroutines, in a manner similar to that 
suggested by Dijxstra. rig. 1 depicts in broad terms the struc- 
ture of the PP250 Operating System, each of its layers being 
discussed in subsequent paragraphs. This paper is more concer- 
ned, however, with the corresponding abstractions; to describe 
how these are achieved is to explain the principles upon which 
the system is based. Thus, given the hardware mechanisms des- 
cribed in companion papers, the aim of this paper is to show 
how the physical resources of the system, processors, storage 


media, and peripheral devices, are transformed into abstract re- | 


sources, processes, Virtual memory, and data streams. 
PROCESSORS TO PROCESSES 


5. Toshow how CPUs suffer loss of identity it is necessary to 
anticipate the discussion on virtual memory to the extent of 
assuming a system of dynamic storage allocation. This implies 
the existence of privileged code, in the dungeons of the opera- 
ting system, with the power to create on demand blocks of the 
requisite size and deliver capabilities for them. 


6. A program may be thought of as a static structure of code 
blocks and constant data blocks contained in a network of con- 
stant capability blocks. It must have a particular start point, a 
particular code block within this network. Apply a CPU at this 
start point and it executes code, it processes input data, it asks 
for data blocks and is delivered capabilities, and so it has to ask 
for capability blocks in which to store them. In short, it con- 
structs its own private suob-network of capabilities, a private data 
structure unique to this run of program. 


7. Apply another CPU at the same start point, perhaps at the 
same time, and although it obeys the same code it asks for its 
own blocks and constructs a separate data structure. Allow dis- 
continuities in each execution of the program, e.g. while 
waiting for more input data, and the two runs can be performed 
on the same CPU, whose power is snared or scheduled between 
the two runs. 


8. Two conclusions can now be reached:- 

(1) It is possible to distinguish between execution of a 
prvgram and the program itself. Although there may 
be many more or less simultaneous executions of the 
same program, the program itself is singular. The 
term used for the execution of a program is a “‘pro- 
cess” and that for the kind of program which can have 
many simultandous executions is a “reentrant pro- 
eram’’. Ina telephone switching system, for example, 
there may be many processes, each servicing a diff- 
erent telephone call, but all obeying the same reen- 
trant telephone switching algorithm. 

(2) It ts immaterial to a set of processes whether each has 
its own CPU or all are scheduled on the same CPU, so 
long as each receives a requisite amount of processing 
power. 


9. Asasystem normally contains a number of different pro- 
grams, so it is possible to have processes of different types simu- 
Itaneously in existence. 


10. CPUs have now almost disappeared, short of explaining the 
mechanism fur scheduling processes ina multi-processor envir- 
onment (see Fig. 2). The action of this mechanism ts to select 
another process to run ona CPU when the current process on 
that CPU comes to an end or has to await some event, e.g. 
arrival of more input data:- 











PROCESS 
On 
PROCESSOR 1 


PROCESS 
ON 
PROCESSOR 2 






PROCESS 
Ow 
PROCESSOR 3 






















SCHEOULER 
CODE 





SCHEDULES 
CAPABILITY 
SLOCK 





2. REENTRANT PROCESS SCHEDULER 


(1) Itis part of the action of every process which runs on 
a CPU select the next process to run on that CPU by 
executing a “process scheduler” subroutine. 

(2) The process scheduler selects the first item in a “pro- 
cess ready list” of processes that are in an executable 
condition. 

(3) As there is only one process ready list for the entire 
system, it provides a common work pool for all CPUs. 
A process might run on any CPU, whichever selects it 
when it reaches the head of the process ready list. 
Further, where there are discontinuities in the running 
of a process, different parts of its run might be per- 
formed on different CPUs. 


11. It may now be seen that CPUs do no more than furnish pro- 
cessing power to processes, the number of CPUs in any configur- 
ation being dictated solely by its total processing requirement, 
the processes themselves being insensitive to the number of 
CPUs present and the actual CPUs on which they run. Like 
Dijkstra’s processor allocator, the process scheduler furnishes to 
each process an abstract CPU which meets its total processing 
requirement. The abstraction of CPUs is thus achieved. 


VIRTUAL MEMORY — STORAGE MEDIA TO BLOCKS 


12. The purpose of this particular abstraction is to eliminate 
the distinction between main storage and backing storage and 
enable a process to be concerned solely with store blocks of the 
requisite size and type of access. The subject is a large one and 
can only be given cursory treatment in a paper at this level. 


13. The aim of the virtual memory scheme is for blocks to be 
transferred between main store and disk automatically, without 
the processes using these blocks being conscious that any such 
transfers are taking place. The only requirement that a process 
has is that when it attempts to use a block, the block should 
automatically be transferred into main store if it is not there al- 
ready. A simple hardware mechanism ts used to detect an 
attempt to use a block which is not currently in main store. This 
causes an interrupt into a “trap handler” process (fig. 3) of 
which there is one per CPU. 













Trap 
INTEARUPTS 


TRAP 
HANMOLER 
PROCESSES 











HANDLER 
PROCESS 





[ 


| PASCESS ’ 
t 


4 


Riacy 


Lts’ 





CAPasiLiTyY ———— > 
SaTa FLOW ---— PP 


3. TRAP AND DISC HANDLERS 


14. The action of the trap handler process is to queue the 
trapped process, with an indication of the required block, for 
action by the “disk handler” process. The disk handler initiates 
transfer of the required block into main storage space allocated 
for the purpose. It then enters the trapped process in the pro- 
cess ready list. When the process is rescheduled it successfully 
reattempts the trapped instruction, and proceeds to use ine 
block concerned as if nothing had happened. 


15. When a process requires a new block of storage. it calls a 
“store allocator” subroutine, specifying the length and access 
required. The store allocator allocates appropriate space on the 
disk, It delivers to the process a capability for the block thus 
created. An attempt to use the block would, according to the 
mechanism described above, result in the block being transferroc 
from disk into main storage space allocated for it. In fact, the 
actual transfer is in this case short-circuited, as the block does 
not yet contain any useful information. 


16. When a process has no further need for a block, it over- 
writes all its capabilities for the block. The system may reuse 
disk space occupied by a block when no capabilities tor if exist, 
as the block is then inaccessible to all processes. 

17. In this summary of the virtual memory scheme, it remains 
to outline the algorithm used to select blocks for transferring 
out:- 

(1) Essentially, the algorithm employed is “longest in’, 
it selects for transferring out the block which has been 
longest in main store. 

(2) However, the algorithm permits certain critical blocks 
to be locked down in main store, e.g. those used by 
the disk handler. 

(3) Yhen a block can be recognised as having remained 
unchanged while in main store. be. access to tt ts 
limited to read data, and/or execute, or read capa- 
bihty, the space if occupies is deallocated without 
any actual! transfer out having to take place. 


18. Although the mechanisms required to achieve a virtual 
memory are quite involved, its use is simplicity itself; a process 
simply executes the store allocator when tt requires more store 
and overwrites all copies of capabilities for blocks it no longer 
requires. This discussion makes no distinction between data type 
and capability type blocks. It makes the tacit assumption, there- 
fore, that capability blocks can be held on disk, indeed that the 
capability network extends from the address space of main 
sture to the address space of the disk, regardless of the physical 
boundary between them. It is essential for this to be so fora 
virtual memory, the abstraction of storage devices, to be 
achieved. 

DEVICES TO DATA STREAMS 


19. The purpose here is the abstraction of non-interactive de- 
vices, paper tape readers, paper tape punches, lineprinters, etc. 
in favour of “data streams’. A process may then be concerned 
simoly with its input and output data regardless of the actual 
devices employed. 


20. When a process requires to input or output, it must first 
execute a “stream allocator” subroutine, supplying the stream 
name, in keyboard characters, as a parameter. Correspondingly, 
a human may use 1 keyboari’ command fo ascribe that name to 
a device. The action of the stream allocator is to allocate to the 
process the device thus named. The process may then either in- 
put data trom the stream or output data to it by executing a 
“set data” or “put data” subroutine respectively, some suitable 
unit of data e.g. 100 words, being thus transferred. 


21. ‘The process ss insensitive to the device, even the type of 
device, used to transfer tts data. The “put data” or “get data” 
subroutine simply passes a unit of data to or from a device 
handler process associated with the device concerned and res- 
ponsible for the paysicul transfer of data. 


22. The hurnan mav ascribe a name to a data file within the 
virtual memory instead of a physical device. The action of the 
stream allocator is then to allocate the data file to the process as 
its data stream. Physical transfer between the data file and a de- 
vice is then wholly disassociated from the process, to achieve a 
conventional “offiining” facility. The process, however, still 
employs “get data” and “put data” as discussed above to com- 
municate with its streams. Thus, a process is insensitive not only 
++ the devices providing the source and destination of its data 

at also to whether or not that data is off-lined. Data streams 
correspond to Dijkstra’s “logical communication units”. 


rORM OF A LOGICAL RESOURCE 


23. To be comolete, this paper must answer the question 
“What, then, is a logical resource?” In the case of a store block 
the answer is self evident; the store block ts itself the resource. 
A more complex resource consists of a collection of store 

blocks which can contain, i some meaningful format, data des- 
cribing the resource. To take an example, the format for a pro- 
cess must provide for its start point, priority, space to preserve 
register values on interrupt or suspension, etc. A logical resource, 
then, is nothing more than a data structure, of which a single 
block is the simplest example. 


24. The paper now goes on to show that, just like a store block, 
.Ay Jogical resource is represented to the user by a single capa- 
oiitv. The paper describes how the operating system is called 
and now abstract resources are represented, allocated, and 
operated upon. ft shows the realisation of a standard software 
interface. 








CALLING THE OPERATING SYSTEM 


25. Calls to the operating system are invariably achieved by 
means of an “enter type” capability, as described in companion 
papers. This means that, in order to call the operating system, 
each process has to be furnished with an enter ty pe capability 
fur operating system subroutines (fig. +). This enables the pro- 
cess to execute code blocks within the operating system, which 
thus carries out the required operations. Two points should be 
observed:- 

(1) The enter mechanism automatically denies to the 
calling (user) subroutine access to tne called (opera- 
ting system) subroutine’s data structure, thus pro- 
tecting the operating system from corruption by user 
processes. 

(2) Thus, there is no formality involved ina call to an op- 
erating system subroutine, which is called just tke 

“any other. Unlike conventional systems, no special 
mechanism is required to enter the operating system, 
which in turn requires no “privileged mode” of 
operation. 


26. Each process is furnished with an enter type capability for 
a “resource allocator” within the operating system. This gives 
the process access to a number of code blocks, each one being 
concerned with the allocation of a particular resource-ty pe, the 
“store allocator’, the “stream allocator’, etc. execution of 

' which causes a logical resource of the corresponding type to be 
created and allocated to the process, as described below. 


OPERATING SYSTEM 


CODE BLOCKS 





STANDARD 
uUsEa 
INTERFACE 


Hit 
AL 


@) 


OwnutL Car. 


PART OF OPERATING SYSTEM 
DATA STRUCTURELEG A RESOURCE) 





4. USER INTERFACE/ACCESS TO A RESOURCE 
RESOURCE REPRESENTATION AND ALLOCATION 


27. Execution of the store allocator causes a store block of the 
required size to be created and a capability with the required 
access tu be delivered. This type of resource might be thought 
vf as a special case; once allocated and represented by a capa- 
bility, a store block can be operated upon directly by means of 
CPU instructions, wheregs all other resource-types can only be 
operated upun by calling the operating system, The abstract 
inachine, however, is insensitive to such distinctions; it 1s no 
nore than a convenience of implementation that operations 
which are performed on simple data structures, individual 


blocks, are achieved by hardware, whereas those on more com- 
plex data structures are achieved by sofiware. An abstract re- 
source is no more than a particular data structure of blocks, the 
action of its resource-type allocator being as follows:- 

(1) It creates an appropriate resource (data structure) and 
delivers a capability for it. This is a direct parallel 
with the store allocator. 

(2) In this case, however, the capability deltvered is an 
enter type capability enabling suitable code blocks to 
be executed to perform operations on the resource 
{data structure). 

(3) Here is the curious and intriguing point, that this is an 
interface to the operating system specially created by 
the resource-type allocator to perform operations on 

~ the particular resource concerned. The resource-type 
allocator obtains a capability block and inserts into it 
execute type canabilities for the standard code blocks 
used to perform these operations and for the consti- 
tuent blocks of the resource’s data structure. Fig. 4 
still applies. 


A STANDARD, DYNAMIC, AND ADAPTIV 


: E INTERFACE 


28. It should be observed that, when a user process employs its 
enter type capability to execute a resource-type allocator, it is 
(excepting storage) delivered another enter type capability with 
which to perform operations on the resource thus allocated. The 
two iavariable rules constituting a standard user interface with 
the abstract machine can now be stated formally:- 


(1) A logicai resource is always represented by a capability, 


which can be used to perform permissible operations 
on that resource. 

(2) Accall of the operating system is always achieved by 
means of an enter type capability. 


29. Although standard, the user interface can now be seen as 
completely dynamic. When a user process requests a resource, it 
is furnished with its own private interface to the operating 
system, which it can use to perform operations on that resource. 
Further, this dynamic interface adapts to a user’s requirements; 
as his processes request resources of various types, the delivery 
of corresponding capabilities extends the scope of his user inter- 
face to provide just those operating system facilities he requires. 


SYNCHRONISING FLAGS 


30. A further resource (data structure) is normally employed 
for synchronising processes and communicating between them. 
This resource is called a “flag”, and may be created by executing 
a “flag allocator”. The problem which the flag mechanism is de- 
signed to overcome is that, while processes perform asynchron- 
ously, they nevertheless require to synchronise the transfer of 
information between them. The concept of flags is best under- 
stood in terms of the operations that can be performed on them:- 

(1) When 4 process has a message to send to another pro- 
cess, it “‘posts”’ the message ‘ton a flag’’ for which both 
have a capability, it executes a block of code that re- 
cords the message within the flag’s data structure. 

(2) The receiving process is delivered the message on re- 
quest, it executes a block of code that extracts the 
message from the flag’s data structure. However if the 
receiving process requests the message prior to its 
being posted, it is suspended until the sending process 
has performed the post operation. The receiving pro- 
cess is said to “wait for” a message ‘‘on a flag”, 


31. Thus, the operations that can be performed ona flag are to 
post a message and to wait for a message. Although the processes 





piwvolved perform asva. conously. the flag mechanism imposes 
syvachronisation on the transfer of messages between them by 
ensuring that posting and delivery occur in the logically correct 
sequence. Phe flag concept permits a number of processes to 
wait for (419. 5) or post messages on the same fag. Such mess- 
wzes would be waited for ia turn and delivered tn pesting order. 
Also. a process may wait for a message on more than one flag, 
where ifcan expect one of a number of possible events, e.g. ina 
telephone switching process, a message indicaiing the next 
dialled digit, the return of the handset to its rest, or a timeout, 






FLASS MAIN 
CACABSUITY BLOCK 






PROCESS PROCESS 


PROCESS 
a 
No a 


QUEUE OF PROCESSES 


§. BROAD DATA STRUCTURE OF FLAG 
THE HUMAN INTERFACE © 


32. When a human approaches a terminal and operates the 
“sitention key”, this causes a “command interpreter” process 
to be created, the purpose of which ts to interpret and obey 
each command subsequently typed at the terminal keyboard 
(fig. 6). As the only action the system is able to take in obeying 


SYMBOLIC 
NAMES 


CATA 
VALUES 


CAPABILITY 
VALVES 






‘ 


Ld 
ae | 


TOMMANS 


> 
CASI AMS 


i 
} 
i 
! 
1 
, 
A 
{I 
| 
, 
t 


vt 
woe 


vy LOwMAND 
wv * 

O/ 

cu, I\’TERPRETER 

ZB PROCESS 
eS 
ee 34> 
e } Mee 


6. SYMBOL TABLE 


such conmmands is to allocate and manipulate the resources of 
the abstract machine, a command must be compounded froma 
basic set of commands, each of which correspond to an abstract 
machine facility. This basic command set extends the abstract 
machine to the terminal, where its facilities are then available 
for the human to create and manipulate abstract resources at 
will. 

33. When created, a resource 15 represented within the system 
bv a capability. When the human creates a resource at a terminal 
he gives it a symbolic name. These are respectively the internal 
and external representation of the resource; each reference that 
the human makes to the resource is replaced within the system 
by its associated capability. Such associations are recorded with- 
ina “symbol table’, which is part of the data structure of the 
command interpreter process. 


34. Each command name is also recorded in the symbol table, 
iis associated capability defining a ““command program” which 
is executed by the command interpreter in order to obey the 
command. Whenever the human types the command, to create 
or manipulate an abstract resource, it is this command program 
which calls the associated abstract machine facility on his behalf. 


35. The human is permitted to generate new commands, with 
their own symbolic names, being compounded of existing com- 
mands. This enables him to manipulate a number of resources 
with a single command, which may then be expressed solely in 
terms of the work he requires the system fo undertake and in- 
dependently of the abstract resources actually involved. 


THE USER 


36. To conclude this paper, the main concerns of a system user, 
in expediting the design of his application, may be summarised 
as follows:- 

(1) The standard software interface is as pertinent to 
applications programs as if is to the operating system. 
It is a task of the user, therefore, to identify logical 
resources (data structures) convenient to his applica- 
tion, e.g. a telephone subscriber, and the operations to 
be performed on those resources, e.g. send ring tone. 
He may then proceed to write corresponding resource- 
type allocators and the code blocks which achieve the 
required operations. 

(2) The user must determine the types of processes re- 
quired to achieve his application and the criteria by 
which such processes are created, e.g. a telephone 
switching process might be created when it is detected 
that a subscriber has raised his hand-set. 

(3) There may be a range of applications personnel who 

' are required to communicate with the system for 
different purposes, e.g. operational staff, maintenance 
staff. The user-must determine the terminal facilities 
required by such personnel and establish correspond- 
ing command structures. He may then proceed to de 
fine the command programs which achieve these 
facilities, using for this the command generation 
commands. 


Acknowledgement 

I would like to thank the many colleagues on whose work 
this pauper is bused and the Directors of the Plessey Company for 
permission to publish it. 











THE OPERATIONAL REQUIREMENTS FOR 
FUTURE COMMUNICATIONS CONTROL PROCESSORS 


J.M. Cotton 


Plessey Company Ltd. 
Taplow Court, Maidenhead, 
Berks, England. 


ABSTRACT 


The future communications control problem will encompass 
not only the control of individual systems but also the control 
of remote switching systems, over data links, from a central 
location. In view of the evolutionary nature of Telecommuni- 
cation networks, it is necessary to provide for both locai and 
remote control with the same equipment. Additionally, it 
should be possible to control simultaneously, or with the same 
type of equipment, message switching systems, and other real 
time control applications. 

These requirements along with considerations of software 
reliability point to the necessity of preventing undesirable 
interaction between the various tasks of what is, in effect, a 
complex real time systern. 

This paper presents the operational requirements of such a 
control system, and deduces the necessary system features. 
Accompanying papers describe the software structures implicit 
in this approach and the hardware designs botn for the control 
equipment and for the compatible new telephony system. 


1. GENERAL 


Before considering the requirements for the control 
system, based on Stored Program Processors, suitable for future 
communications networks, it is important to be clear what 
potential advantages might be gained from the use of such a 
control system. These may be listed as foliows: 

a) The control functions in an exchange or network would 
be entirely separate from the switching, signalling and 
transmission functions and each could develop separat- 
ely without impact on the other. 

b) Ideally the logic functions normaily distributed through- 
out switching equipment, relay sets, markers etc. would 
be replaced by computer instructions executed in accor- 
dance with a program. A change of facility, demanding 
a rearrangement and redesign of logic and hardware in 
a conventional exchange which makes retrospective 
modification expensive could be provided by program 
change or replacement in an SPC system. 

Cc) Economies could be made in the design of the switch- 
ing system, Since control would have an overall view of 
the traffic pattern and could organise connections on a 
dynamic basis. 

d) Very fast call set-up times could be achieved, limited 
only by the operating response of the switching ele 
ments. As a result an SPC network could have better 
revenue carning characteristics. 


e) There need be no significant differences between 
exchanges at different levels in a hierarchy except size 
and traffic handling capacity. 

f) Inter exchange communications could be organised via 
data channels thus removing the need for expensive sig- 
nalling relay sets, and freeing the speech paths from any 
constraint imposed by in-band signaliing. 

g) Statistical information relating to system performance, 
network limitations etc., would be readily available as 
a by-product of Processor Control. 

h) Reorganisation of routing strategies could be permitted 
to avoid traffic restrictions due to cable breakdown, 
switch biock blocking etc. This reorganisation might 
be automatically executed in program or might be initi- 
ated by some mannal input from a network manage- 
ment centre. 

i) The control equipment should require less maintenance 
and would be able to provide more comprehensive diag- 
nostic assistance for such maintenance as is required. 

j)) New switching technologies which may be developed in 
the future should be more easily accommodated when 
the control function ts separated and provided by com- 
puter programs. 


ADMINISTRATION POLICIES 


WN 


It is well recognised that for anv communications 
system the complete failure of the control system is catastro- 
phic; hence it is undesirable for the control to have a probability 
of failure higher than once in 50 years or more depending on 
the number of subscribers served. In order to achieve this degree 
of reliability with present day components it is necessary to 
organise the control processing system with adequate redun- 
dancy and facilities for control reconfiguration. In consequence 
the minimum viable control system is relatively expensive, and 
there is a minimum number of subscribers which may be econo- 
mically served which is variously quoted as between 2000 and 
5000 telephone lines. Such an installation should be capable of 
handling 10,000 lines with no further control equipment. 
Hence, the approach which may be taken by an administration 
to the installation of “Stored Program Control” (SPC) systems 
will depend on the existing network circumstances and its 
financial policy. 
if the nation concerned is relatively undeveloped with little 
existing Communication equipment, then the only hindrance to 
its being able to take full advantage of the flexibility and evolu- | 
tionary possibilities of SPC may be doubts about the economics 
of the initial installation. Such doubts might well be removed 
if the equipment were capable of controlling several exchanges 
nan area, or a number of different communication 











services simultaneously (e.g. telephony and message switching) 

or if the administration could make use of the spare processin 

capacity for data processing purposes of varying kinds. 

I) however, the nation already has large quantities of existing 

electro-mechanical equipment installed at various stages in its 

useful hfe. then its problems are more severe. The three 
obvious pohues which it may take can be summarised as re- 
newalextension, replacement and overlay. These are discussed 
below. 

a) Renewal/Extension: If the Administration follows a 
policy of only renewing with SPC those installations 
which have reached the end of their lite and providing. 
SPC extensions where they are of sufficient size to be 
economic, then many decades will pass before SPC 
makes any significant penetration in the network and 
the facility and service benefits become apparent. This 
will be particularly true of some of the benefits (d, f 
and h above) which only become apparent when there 
is a high penetration. 

b) Replacement: Under this policy exchanges which re- 
quire extension are completely replaced by the new 
system. The size of the new installation will thus 
usually be big enough for the SPC to be economic. The 
drawback 1s that large capital investment is required. 

c) Overlay: Under this policy the administration will plan 
to incorporate the modern equipment in an “overlay” 
network, separate from but interfacing with the old 
equipment at suitable points and to interconnect the 
overlay portions of exchanges in a network divorced 
from the existing network, and only connected to it at 
Strategic points. An exchange growth treated in this 
manner, may continue to expand to meet growth at 
the requisite planning periods until it serves the major 
portion of the telephone service area concerned. At 
some stage When economic, the old equipment is re- 
moved and the total exchange load is now handied by 
the modern equipment. 


| 


4 
= 





It is inevitable that in the overlay principle with the 
modern equipment being provided to satisfy growth, it will be 
provisioned in smaller sizes than would be the case with com- 
plete exchange replacements, e.g. suppose it is required to ex- 
tend an 8,000 line telephone exchange with a projected annual 
srowth of S%- and the planning period is 5 years. Then the 
modern equipment to be installed will provide for an ultimate 
of 2,200 lines at the 5 vear date. This may well not be econo- 
mic, and smaller installations would certainly not be economic 
because of the cost of the individual control systems. 

An alternative approach is to aggregate the growth of a 
number of exchanges within an area, say a G.S.C. area and con- 
trol the equipment provided to switch growth traffic at each of 
the individual exchanges from a common central processor 
installation. Then if there are say !0 exchanges within the area 
with an average 5 yeur growth of 1,000 lines per exchange, the 
SPC installation is now economic - there are of course some 
additional charges to be borne in this case for the provision of 
data links and associated equipment. 


3. NETWORK BASED ON SPC CONTROL CENTRES 
It hus been shown that to apply SPC to the growth 
elements of an existing network using an overlay concept is 
oily ikhely to be economic if a control centre ty provided, 
having facilities for controlling the growth eguipment of 4 
number of eachanges in the area. Sufficient work has been 


done to indicate that even if an Administration adopted a 
policy of replacing existing exchanges with SPC, the technique 
of controlling the area from a central processor would still be 


the preferred choice. The basic reasons for preferring area con- 
trol are:- 


(i) It ensures that the control complex is worke 
ata reasonable level of efficiency. 
(ii) Because of centralised control it is possible to 


“map” the switch-blocks and interexchange connec 
tion circuits for a whole area. In the case of the 
switchblocks the use of a central map permits switch- 
block design to be optimised in terms of cost. 

(iit) = The ability of a processor to select an “over- 
all path” for a within area call improves network 
efficiency since a call from a subscriber on exchange 
A to one on exchange B (either direct or via exchange 
C) is only set up if Enks are available and the ‘B’ 
subscriber's fine is free. Thus the revenue earning 
power of a given network is improved. 

(iv) The location af processors in a central situa- 
tion is more conducive to efficient maintenance. The 
central processor armed with efficient diagnostic pro- 
grams can identify faults perhaps down to plug-in 
card level and provide a print-out of the fault and 
diagnosis. From the centre a maintenance office 

can be despatched to the fauit location equipped 
with the necessary replacement unit. 

_{v) Management of a network is more readily 
achieved in terms of alternative routing strategies 
designed to “route around” fault equipment or 
junctions. 

(vi) Day to day administration of a network e.g. 
disconnection of service for ceased lines or non-pay- 
ment of rental, changes in class of service etc. can be 
achteved from central control. 

(vil) The gathering of management siatistics on 
traffic, call holding time, cali distribution by desti- 
nation, levels of successful calls etc. are ready avail- 
able with the appropriate programs. 

(viii) inter-processor communication is only required 
on those calls entering or leaving the area. 

(tx) The improved facilities and service offered by 
SPC achieve a wider and faster penetration. 

(x) P.A.X. and P.A.B.X. equipments within the 
area may also be controlled remotely by the central 
processor equipment. 


4. SYSTEM CONCEPT 


Ideally to meet the requirements of an evolving network 
either of an overlay nature or by exchange replacement, the 
new telephony system should possess two important properties. 
Piese:.are: 

Flexibility 
Ability to evolve 
The requirement for flexibility arises trom:- 


(i) variations in size for different environments in 
terms of subscribers and traffic. 
{it) Variations in facility requirements in different 
environments. 
(111) the need for the system to exist in many 
varying Coufigurations £.e€. main exchanges; group 
switching centres; overlay network switching nodes 
ete. 


a 











The requirement for the ability to evolve arises from:- 


{1) qualitative changes in the network due to 
the introduction of new services and facilities. 
(ii) the rapid advances in technology. 


From these requirements the following general princi- 
ples can be defined which could lead to an attractive 
system framework:- 


a) General purpose approach to the provision of 
equipment; which allows both flexibility and 
evolution. 

b) Open-endedness of organisation; allowing unre- 

stricted srowth. 

c) Recognition of natural distinctions within the 
system such that the distinct parts can develop 
separately with the advent of new needs and 

means. 

d) Modularity, both in hardware and software, 
which will provide flexibility of application. 


These principles will be followed by division of the 
total system into sub-systems which are tunctional entities 
rather than physical entities. A sub-system is thus implemented 
as a modular combination of hardware and software which 1s 
functionally complete such that any change to the sub-system 
is contained within itself and snould not necessitate associated 
changes in other subsystems. 

A sub-system is defined by means of its functional 
interfaces with the rest of the system. The definition thus 
includes both the hardware and software interfaces which 
envelop the sub-system. Complete freedom of design and 
evolution and varying hardware/software boundaries are possi- 
ble within the subsystem interface envelope. The rest of this 
paper is concerned with the contro] sub-system, which, in the 
network control situation might be thougnt of as a processor 
utility since it could be used to control telephony sub-systems 
of successive equipment generation und designed by ditferent 
manufacturers, a5 well as other communications sub-systems 
such as data networks, telex and message switching. The 
telephony sub-sysiems are discussed in a companion paper. 


5. SYSTEM CONSTRAINTS 


The constraints which are imposed on the design of a 


‘processor complex for it to be suitable as the exchange control 


or network Control Centre (CC) in the future communications 
network as described above, may be listed and discussed as 
follows:- 


(i) Continuity of Service is required for all the 
exchanges ia the network with no service interrup- 
tion allowed during expansion of hardware or faci- 
lities. This is even more important if a Control 
Centre is supplying the control for all the exchanges 
in an area. Continuity of service is also required 
despite the failure of portions of the control system 
so that on a probabilistic basis its mean time 
between failures must be between 40-325 years 
(dependant on amuunt of equipment controlled) in 
the face of both transient or permanent hardware 


failure and the inevitable existence of software errors. 


Such service continuity cannot rely on manual inter- 
vention since the control equipment may spend fong 
periods unattended. 

(ii) Expansion of the number of subscribers in an 
area is presently at 6%7 p.a. in the ULK. 


If an overlay technique were followed then the 
increased traffic only would be taken by the 
Control Centre. Assume the initial CC installation 
is economically justified in an exchange or an area 
to cover the first five year expansion, then the 
next 25 years will bring a 13: | expansion in the 
number of subscribers served by the CC which will 
will represent an even greater increase in traffic. If 
during this period the original outdated electro- 
mechanical equipment is also replaced then the CC 
jraffic will be increased by a factor greater than 
16:1. It is untikely that an economic initial CC 
installation will be able to expand its load by more 
more than 4 : 1 without increase in. the number 
or power of the processors. Thus the CC must be 
capable of at least 3 : 1 expansion in power dur- 
ing its life, and such an increase in processor 
power should not necessitate reprogramming of 
the system. For area control the CC must also 
cope with evolution of both the network and the 
CC itself during this period as a result of the intro- 
duction of more advanced technologies, and evo- 
lution and increase in number of the facilities to 
be offered to the subscriber. 


(tit) Network Control by the CC requires that 
some of the very large number of low activitv 
peripherals which form the exchange equipment 
will be controlled remotely over data links at the 
same time as the CC ts in direct control of co- 
located equipment. The network will (in the UK 
at least) consist of telephony sub-systems designed 
and programmed by different manufacturers, as 
well as the administration itself. The CC hardware 
and associated operating system must therefore be 
able to support many ditferent interacting soft- 

- ware sub-systems written by different teams at 
different times throughout its life and with vary- 
ing degrees of competence. Also it will probably 
be required in the future to support simultaneous- 
ly other tesks which must not interact with the 
telephony task. 


6. REQUIREMENTS 


From the foregoing discussions it is possible to ex- 
tract the essential operational requirements which will influ- 
ence the design of a suitable processor complex for a Control 
Centre for either network or individual exchange control. 
These may be considered under the following six headings:- 
modularity, continuity, expansion, evolution, isolation and 
automatic recovery. 

(i) Modularity of the equipment is necessary 
to allow economic provision of redundancy for 
system reliability, and expansion as nearly gradu- 
ated to enhanced requirements as is economic. 


(41) Service Continuity of the P.U. must be 
maintained for the life of the system with a 
Statisticaily probable mean time to system failure 
from all causes of 50 years or longer. The contin- 
uity must be maintained despite the addition, sub- 
traction, modification or evolution or maintenance 
of both hardware and software modules. 
Acceptable degrees of degradation as a result of 
partial system failure must be specified by the 
administration. 


“2 


(iii) Expansion of the Control Centre equipment 
has been shown to be necessary by a factor of 3 
or more during its life time. This brings an impor- 
tant requirement for an adequate addressing range 
for the maximum size of control area envisaged 
for both peripherals and storage. 

The second requirement is that addition of stor- 
age or processing power should not demand any 
alteration of programs. 

(iv) Fvolution of both the hardware and soft- 
ware of the CC must be erpected during the 

life tine of the system, which hopefully will be 
25 years upwards. The hardware will need to 
evolve to take advantage of improved technology 
and provide new or inproved resources’ whilst 
the software will evolve tu provide mew applica- 
tion facilities, and new operating system facilities 
and control of new resources. The need for suft- 
ware evolution points to the requirement for 
system features to allow subsequent on-line modi- 
fication of the operating system and application 
prograins. Such modification will almost certain- 
ly be under-taken by other than the original 
design staff. 

tv) Iselation of the various software sub-systems 
is a requirement to provide adequate ensurance 
that.- 


a) Sub-systems (or users are prevented 
from corrupting or illegally accessing the 
resources of other sub-systems. 

b) Sub-systems are prevented from comup 
ting or illegally accessing the resources of 
the Control Centre. 


The tsolstion is particularly tmportsnt in the area 
control case where sub-svstems of differing pur- 
pose, design generation and manufacturer must be 
co-ordinated Such isolation must. however, be 
controllable to allow necessary and defined inter- 
action between the various sub-systems and 
between each sub-system and the CC operating 
systent. 

(vi) Automatic Recovery from the effects of 
any type of hardware or software malfunction 
must be desizned into the system. Software is 
vulnerable to corruption by hardware or scftware 
faitures. Hence, the software faults and hardware 
failures should be detected, not necessary as soon 
as they occur, but before they can corrupt any 
other sub-system. Mechanisms must be provided 
to automatically tsolate a suspected fault sub 
system from the system until it is no longer 
considered suspect or hus been repaired. 


7. DESIGN OBJECTIVES 


The general requirements, discussed so far. for the 
control system either for a single eachange or fur an area 
Control Centre have been interpreted into the design object: 
ives of the System: 250. Vhese are discussed below:- 

aj Since the requirements for increased processing 

power and Store in general do not vecur simul- 
taneously, if has been an objective to have these 
sepurately expandable in whatis Known ay a 


b) 


Cc) 


d) 


e) 


f) 


gi 


mulii-processor organisation. The mosi economic 
form of redundancy is n + m where n is the 
rurmber of modules for the task and m is the spare 
spares to allow automatic recovery in the face of 
module failure. It is desirable thatn > m2 I. 

It is also desirable that the modules be smali since 
the M.T.B.f. of a module is proportional to its 
size or complexity and its M.Y.T.R. is inversely 
proportional to its size - both effects improving 
the mean Ume to system failure for any given 
value of equipment. 

The requirement that addition of storage or pro- 
cessing power should not demand any alteration 
of programms, reinforced by the n + m redundancy 
philosophy teads to the objective that the proces- 
sors Should not be dedicated to any particular task 
but should be capable of being regarded as part of 
the system resources. This brings the important 
corollaries that control of the following activities 
must be dedicated to any particular processor but 
must be considered as system functions. 


System timing 

scheduling ©. 

i7O handling 

interrupts 
It is also important that all code should be re 
entrant so that so that processing power may truly 
be regarded as a resource allocatable as the situa 
tion demands. 
To facilitate hardware evolution it is an important 
objective that the various interfaces between hard- 
ware modules should be as few and as simple as 
possible. 
To facilitate software evolution and to improve 
the abiltty of the system to provide service con- 
tinuity despite the inevitable software bugs it has 
been an objective to take software isuiation down 
to a much finer structure than the sub-system 
level. Each code block or sub-routine must have 
isulation against interference from other code 
blocks. 
Such isolation together with the requirements for 
expansion without software alteration, and recon- 
figuratiun in the face of store faults leads to the 
objective of flexible and fully relocatable storage 
partitioning and allocation. It would also be most 
desirable to provide the level of suftware abstrac- 
tion which allows each sub-system to believe it ts 
the only occupant of the system. 


As a corrollary of objective 6) it has heen an 
important objective to provide a high degree of 
fault detection in hardware so that each processor 
in the system will detect its own faults. 

Having detected a fault it should have hardware 
facilities for removing itself from the system and 
applying self-checking until either ut finds iseif 
fault free (in the case of transients, software faults 
or store faults} or il is repaired. 

Since the mean time to system failure is inversely 
dependent on the time to repair it has been an 
objective to provide factitties for a good processor 
to be used to diagnose faults 1a another processor. 














FIG. 1 TYPICAL SYSTEM CONFIGURATION 


8. SYSTEM REALISATION 


a 





The System 250, which is described in detail in accom- 
panying papers, is the system which realises ail the objectives 
and meets the requirements discussed above. [t is fully modular 
with simple interfaces us will be appreciated from the typical 


system organisation shown in fig. 1. It is possible to add storage - 


or processing power independently without need for software 
alteration, and the additions may be made to an operational 
system without disturbance to service. 

The key to ihe ability to isolate software modules and 
detect both hardware and software errors whilst preventing 
their effects from corrupting the remainder oi the system has 
been the use of Capabilities. The original concept came from 
Van Horn (ref. 1) but in System 250 they have been realised in 
hardware. Fundamentally a capability defines a system resource, 
the most easily understood examples being a store block ora 
subroutine. 

Fig. 2 shows that the position of the store block is de 
fined by base and limit values whilst the permitted use of the 
block is defined by the access field. Such a capability may be 
the exclusive property of a process but if desired the owning 
process may allow other processes to have tne same or more 
restricted access to the resource defined by the capability. 

By ineans of such capabilities it is possible to run many 
entirely independent jobs on the same system, with complete 
control of the isulation or desired interaction of the jobs. 

By these means it is possible to test undebugged soft- 
ware ona live system without fear of system cotlapse. Thus it 
becomes feasible to use the same control system to simul- 
taneously control telephony, message switching and telex with- 
out fear of undesired interaction, and if desired, run back- 
ground batch processing as well. 


Acknowledgement 
I would like to thank the many colleagues on whose 
t 


work this paper is based and the Directors of the Plessey 
Company for permission to publish it. 


10 






15 


Module No | 


Access code 


BASE 


Location 


ACCESS CODE 


READ 
WRITE 
EXECUTE 


READ CAPABILITY 
WRITE CAPABILITY 


ENTER CAPABILITY 


Reference 1) 


FIG. 2 CAPABILITY FORMAT 


Dennis J.B. - Van Horn EC. 
(1966) Programming Semantics 
For Multi Programmed Computations. 


Comm. of the ACM, Vulume 9 


Page 143 


BIT No 


16 
17 
18 


193 
20 


21 











HARDWARE OF THE SYSTEM 250 FOR COMMUNICATION CONTROL 


D. Halton 


Plessey Company Ltd. 
Poole, Dorset, Engiand 


Abstract 


The paper describes the implementation of a system 
designed to meet the requirements discussed in the associated 
papers. In order to meet the requirements of reliability and 
flexibility a multi-processor approach was adopted, uliowing of 
modular and independent addition of processing and storage 
capacity. The main aims for the hardware design have been to 
achieve reliability utilising the principie of redundancy and to 
impose minimum restrictions on system and software organisa- 
tion. 

A multi-processor approach, while offering the ability 
to provide redundant modules in an economic manner, as 
opposed to full duplication, presents considerable problems in 
interaction between processors, particularly in a ioad-sharing 
mode. To deal with these problems and also to facilitate soft- 
ware organisation, a capability protection concept has been 
implemented in the system. 


System Configuration 


_ The control of the system and ail processing functions 
are carried out by the Central Processors (CPU), the programs 
and data being held in the storage modules which are fully 
distributed i.e., ail storage modules can be accessed by ali pro- 
cessors. Thus, the functioning of the Central Processor is of 
major importance in an understanding of the system. Before 
dealing with the Central Processor in detail however, it is use- 
ful to consider the various modules of the system and the ways 
in which these can be configured. At this stage. the basic func- 


tions will be described with more detailed descriptions as appro- 


priate at a later stage. 


PiU 4 





CPU : CPU 


. Tee 


Fiy. 1 Minimal System 


‘Figure | shows a basic two processor configuration in- 
volving two sturage modules and simple computer peripherals. 
The bus connection from the CPU to the Store Access Unit 
(SAU), known as the memory bus, is provided on a one per 
CPU basis, and is implemented in balanced drivers and receiver 


gates, swiiching about zero. Data is transferred in parallel be 


tween CPU's and stores. In this configuration the peripherals are 
connected directly to the memory buses, via Parallei Interface 
Units which comprise two sections. These are the bus interface, 
which is adopied as the system Standard Parallel Interface, and 
the section which converts the device interface to the Standard 
Parailel Interface. This method of peripheral connection is 
shown as an indication of system possibilities rather than a 
practical example. 


SCANNER 


DISTRIBUTOR 





CPeu 





Fig 2) Basic Exchange System 








Figure 2 shows a rather more practical system which 
involves the basic connections to telephone peripherals. In 
System 250 the connection Gof the telephone system, which in 
computer terms involves a lurge number of slow-rate peripher- 
als, is effected via a serial data medium, which also handles the 
Slow-rate Computer peripherals such as paper tape equipment 
and teletypes. 

_ The interface between the parallel and the serial med- 
ium is effected by the Serial Parallel Adaptor (SPA) which 
handies data transfers in both directions. The serial medium 
coniprises a number of data switches which can be cascaded to 
provide the required degree of concentration or diversion. 
Large numbers of physically distributed devices can be handled 
by situating a Primary Data Switch (PDS) adjacent to the SPA 
and Secondary Data Switches (SD5) adjacent to the devices. 
© The PDS has a 64-way switching capability and the SDS a 16- 
way capability. Tne Serial Medium presents a Standard Serial 
Interface to all switching outlets and each dependent device 
must therefore have an interface unit which converts from the 
Standard Serial literface to the device interface, known as the 
Serial Interface Unit. In some circumstances the demands of a | 
peripheral device for data transfer may constitute a full load 
ona CPU so that the CPU ts continually invoived in control 
of peripherals. The inefficient use of the CPU is overcome in 
System 250, as in inany conventional systems, by the iniro- 
duction of a Channel Unit (CU). The Channel Unit is control- 
led by the system as another peripheral aad is set up by the | 
CPU to handle data transfers, thus enabling the CPU to re- 
Jease and carry oui other processing tasks. The CU is provided 
with its own bus to enabie transfers to be performed independ- 
ently of the CPU’s. The Channel Unit is thus an active system 
module, and the provision of multiple recister sets enables it 
to control a number of simultaneous data transfer. The mech- 
anisms which enable the CU to construct and use store addres- 
ses for the purposes of data transfer are subject to the same 
degree of fault detections as those in the CPU, which are to be 
eaplained in some detail. 

Inherent in the input-output complex of System 250 
is the concept of unified addressing whereby all data sources 
and destinations in the system are identified by a 24-bit 
address generated by a CPU. This means that in effect, all 
sources and destinations in the system are addressed as storage 
locations and this principle has two unportant corollaries. 

2) The CPU does not require explicit input/output instruc- 
tions. A ‘read data from peripheral’ operation corresponds to 

a ‘load data’ instruction which specifies a peripheral register as 
the source of the transter rather than a location in store. 

b) All transfers of data within the system are controlled 
by the capability protection mechanism. Thus the allocation 
and use of peripheral revisters can be controlled by the super- 
Visor program using the normal capability mechanism. This 
eliminates the need for a special executive mode of operation 
when landiing peripherals. 

The introduction of the Channel Unit as a further 
Gevice, requiring its own bus, while improving the utilisation 
of CPU's, could increase the potential cost of interfacing peri- 
pherals onto the bus system. Every peripheral must be access- 
ibie to all active devices (CPU's and CU's) and so each PU 
Would require a mutit-port multiplexing Tunction, where the 
numiber of ports cauipped in a given configuration would be 
equal to the number of buses present. 


Multipiexer module (BM), however, has been designed. 
to concentrate the demands from the active modules onto a 
single Peripheral Bus, therefore removing the need for a varia 
able port inlet facility on each PIU. The use of the multiplexer 
thus renders the peripheral device connections insensitive to 
growth in the form of additional active modules, since the 
extra buses simply plug into the multiplexer module. 





Typical System Configuration 


Fig. 3 


Fig. 3 shows a typical large system configuration 
involving Channel Unit and Multiplexers. High speed peripheral 
devices such as disks and drums are interfaced via P!U’s to the 
peripheral bus, which utilises the Standard Parallel Interface; low 
speed devices and the teiephone peripherals are connected via the 
Serial Medtum and appropriate Serial Interface Units. Two multi- 
plexers and hence ‘wo peripheral buses are provided to ensure 
system security in the event of a failure. 

To complete the outline system description the storage 
module and the associated Access Unit should be mentioned. 
The Store Access Unit is a multi-port device, basically providing 
4 ports and expandable in modules of 4 ports. The Store Access 
Unit (SAU) handies parity generation and checking on store trans- 
fers and deals with concurrent demands by processors on the 
same storage module on a queuing basis. The storage medule 
initially provided is a 32K - 25 bit word plated wire store having 
a nominal cycle time of 250 nSec. In practice any store mudule 
can be utilised provided the interface conforms to the SAU speci- 
fication. 


The Central Processor Unit 


In order to understand the principle of system operation 
if is necessary to desernbe the architecture and in particular the 
method of address construction of the Central Processor Unit. 
In a paper of this length it is not possible to cover all details of 
the processor, and the presentation therefore concentrates on 
the areas which are particular to System 250 and discusses 








relatively briefly the aspects which conform to conventional 
computer technology. 

To introduce the principles of System 250 it is necessary 
to consider the concept of capabilities. Capabilities provide a 
method of addressing, trom the central processor unit, to any 
other system module, in a defined manner which allows of the 
detection of a fault condition if the definition is violated. 

The principle 1s most easily Gescribed in terms of access 
to main store, although as stated, capability protection is applied 
to all transfers in System 250. In the system, capabilities are 
loaded into hardware registers, the capability defining the lower 
and upper bounds of a block contained within a store module 
and the mode os access. All addresses are constructed using an 
address offset in the instruction, added to the base value con- 
tained in a capability register defined in the instruction. 

The format of the capability register is shown in Figure 
4. The register consists of two 25-bit registers, one bit in each 
register being parity. The access field contains an eignt bit linear 
code which defines the operations permitted on the block de- 
fined by the base and limit. Three of the codes READ, WRITE 
and EXECUTIVE are concerned with operations on data and 
code, the other three are used for the manipulation of capabill- 
ties themselves. 

The basic architecture of the machine is shown in Figure 


_ There are eight general data registers D- D, All eight can 
be used as accumulators and D, - D.,can be used as modifier 
revisters. Do can also be used as a mask register which controls 
marked operation with certain instructions. Each register is 25 
bits long, 24 bits + 1 parity bit being the basic word length of 
System 250. 


D(1) MASK 
0 (2) 
D (7) 


INSTRUCTION ADDRESS 


INTERVAL TIMER 
WATCHDOG TIMER 
PUSHDOWN POINTER 


INDICATORS PRIMARY 


fT ti‘Cs‘CSCsCS@OY T FAULT 


0 HISTORIC REGISTERS CONTAINS 
PACKETS OF DATA. 

INSTRUCTION 

INSTRUCTION ADDRESS 

ADDRESS OrFSET IF 

STORE MODE 


SECONDARY 


Ramee egrepearenencer OTD ee ad 
eet EO ED ANTS SP e 


E.G. 








15 0 


B,ASE 
Module No , 






Location 









Access code Limi 


ACCESS CODE 


READ 16 
WRITE 17 
EXECUTE 18 
READ CAPABILITY 19 
WRITE CAPABILITY 29 
ENTER CAPASILITY 2 


Fig.4 Capability Format 


There are eight general purpose capabilty registers, Co- 
C 7, general purpose in this context meaning that the resisters 
are directly accessibie to all programs. Each capability register 
comprises two 25-bit registers. As indicated in the diagram C7 
is allocated to holding to holding the capability for the currently 
running code block, while Cg defines the process capability 
pointer block which designates the capabilities which are 
available for the currently running code block. The remaining 
registers are loaded under programmer direction with capabilities 
for data blocks as required. By definition C, will always hold an 
EXECUTIVE access code. 


STORE 





TYPICAL DATA BLOCK 








PROCESS CAPABILITY 
POINTER BLOCK 








CURRENT CODE 
BLOCK 





PROCESS DUMP STACK. 








c (4) SYSTEMS INTERRUPT 
WORD 


SYSTEMS CAPABILITY 


—— > —t—=“C=i‘“CSOSOSOSOOOOOTOOOOOOOTNN 
ei nee TABLE 


INTERRUPT BLOCK 


Cc (S$) a a a arr ra 
i nt aR lS CHECK-OUT SLOCK 


Fig.5 Machine Architecture 








In addition to the eignt general purpose capability 
registers there are five special capability registers which are used 
by the processor and the uperating system to access control 
information. These registers are not normally accessible to 
prograinmers, but can be accessed by programs which operate in 
a special internal mode. However, the hardware may allow the 
contents of a register to change during the execution of certain 
instructions. For reference the special capability registers are: 


C (D) - which defines an area of store called the 


Process Dump Stack. 


C (f) - wnich defines the System Interrupt Word. 
C (C) - which defines the System Capability Table. 
C(N) - wiich defines the normal interrupt block. 
C (S) - which defines the start-up block. 





STORE MODE S=8 | 
1 5 3 3 3 9 
“ Note 1 
A + Base + <M> 


(c) 


DIRECT 
5 3 3 12 
: Note 2 


1 
ele To [Ld et then 


defines 2nd Ragister 


fmAOdE S=1 





= SELECT 

= FUNCTION 
= ReGiSTER 
MODIFIER 

= CAPABILITY 


= ADORESS OFFSET (assumed positive) 


- >» O F Oo " 
iY 


= SIGNED LITERAL 


Fig.6 Instruction Format 


Instruction Format 


The basic instruction formats of System 250 are snown 
in Fiz. 6. There are two formats, known as Store Mode and 
Direct Mode, determined by the condition of the most signifi- 
cant bit, the S field. 

In Store Mode, the address defined by the instruction 
is used to access a store location which contains the required 
operand. The F field defines one of 32 functions to be per- 
formed. The D field normally selects one of the general purpose 
data registers D5, to D7 to be used as the first register 
eperand of the instruction. 

There are two exceptions to this rule. Firstly, in the 
cose of the JUM? instruction, the field ts used to indicate one 
of creht arithmetic conditions. Secondly, two of the capahiuty 
manipulation instructions use the field to define the capability 
revister on which the operation is to be performed. 


“~ 


14 


The M field selects one of the general data registers D, 
to D7 to be used as a modifier in forming the address. Zero in 
this field indicates no modification and therefore D) cannot be 


as a modifier. The C field defines one of the genera! purpose 
capability registers Co an C7 the contents of which define the 
reievant store block. The A field contains a positive binary 
number used in forming the operand address. 


Address Construction 


The address to be used by the instruction in Store Mode 
is formed by adding the Address Offset in the A field to the base 
value in the Capability Register defined by the C field. The 
resultant sum is then added to the contents of the modifier 
register defined by the M field, this step being omitted if the M 
field is zero. | 

Thus, an address is always defined relative to the base of | 
a specified capability register, which in turn defines the store- 
block currently in use. it will thus be appreciated that the capa- 
bility concept is an integral part of the processor operation. When 
When the address 1s formed, checks are carried out to ensure tnat 
the constructed address is valid in terms of the capability defini- 
tion. The Access Field is first checked for all zeros and if this 
condition is encountered, a PROGRAMI tran is generated. The 
absolute address is then checked to ensure that the value lies 
between the base and limit values in the spectfied capability 
revister. If cither check fails a fault interrupt is generated. Finally 
the micro-program step which determines the form of access is 
checked to ve compatible with the codes defined in the field. 
Again, if this check fails a fault interrupt is generated. If the 
checking procedure is successful the required store access is per- 
formed by the processor and the contents of the store location 
form the second operand. When the instruction address register 
is used as the address:source to access instructions, the same 
checks are carried out using the contents of capability register 
C(7). 


To appreciate how the capabilities are supplied, it is 
necessary to consider the ‘enter’ mechanism. ‘Enter’ is one of 
the available access code types, its purpose being to submit a 
subroutine call from one code to another, or more strictly a 
code block in one node to cali a code block in another. The 
method of operation is as follows: 

1) The cailing node has an enter capability for the main 
capability block of the called node. An offset down this block 
gives an execute tyne capability for the required code block. 

2) The call is achieved by a ‘CAL’ instruction, which 
specifies the enter type capability and offset. The effect of the 
call instruction is: 

1) To load C7 with the execute type capability for the 
required code block. 

ii) To load C6 with the enter type capability for the called 
node’s capability block. A read capability access code is auto- 
matically supplied in C6, so that the called node can read its own 
capabilities. 

3) The old values of C6 and C7 referring to the calling node, 
are automatically preserved in a stack defined by one of the 
special capability registers. These values are returned when the 
called node performs the instruction RETURN. It should be 
noted that the enter type capability dees not violate security 
rules, a calling node cannot gain access to the data block of a 
called node by reading them, only the cailed block can utilise 
the relevant data Dlocks. Both calling and called nodes are mutu- 
ally protected from each other. 











ieee 7S tons 


The mistraction set of System 250 may be considered as. 
being bi two sections + data dastructions and capabnity muniou- 
lation instructions. The data instracttons are esseatialik couven- 
tional ore socond sat beng provided for the necessary nt 
iped ia the paper on 


LD il- 


lation at copabilities descr S¥ stein OpeTSuON, 


Ystem Pterrupts 





An important aspect of the processor, ca riicularcly assa- 
ciatea waER the handhay of input/output transfers 13 the method 


Gi deauires with interrupt. 

fc is impheit ina trafitc-sharing system that any proces- 
sor is capable of performing anv process. It is therefore follows 
inai input ‘output and intervupt inust be processor ind dent, 


epen 

Yn Direct Afode the S bit | and no store accesses are 
nvoleed, aoe the C field ts not required and the Cand A 

combined to form an 11-bit signed literal (L). Phe 
alue can be modified by the contents of the reuiste 
ae ned tn the M field. Uf tne L tield is zero, the M field is us er 
to Cetine one of the registers D, to Dy as containing the second 
operand, giving aie r to register operation, 


Cavabilicy Structure 





aoabilicy register defines the permitted bounds 
of a store — K and the operations upon it which are vaud. it 
mn aceess rignt to store. Any attempt by a prograni to 
ile these permitted Hes or to perform ilictt opera- 
ected by hardware and the progeain is interrupied 
siariee The capability register thus has two func- 


} To provide an addressing base for access to the store, 

2) To limit the scope of a program and ¢ ay contain jis 
purential for store corruption in the event of a fault. 

it should be noted raat the protection is ane valid 
azaits’ both hardware and software fruits. 

{he special capability resister Cs already referred to, 
lenes the process capabihty biock, containing Diocks that the 
Pwant to operate on. Some of these would be data 
olocks, some rahe themselves be capability blocks, viving access 
rizhts to 2 synole new rauge of blocks. Thus a whole network 
can D2 constructed consisting of code and data blocks inter- 


Coie Tay 
i 


connected by capability blocks as shown in Fig. 8. 
rach of the modes consisis oe a shee caries y Diock witha 
saterite | code and data blocks, and furtner satellite capability 


blocks giving access to further daia blocks etc., tie whole 
forming a nodul cata sivucture on which its code blocks can 
Seek A code block can operai2 on this structure d 


tea cacabilities are supplied: 

1} Fo: the code diock itself: in C7 

s ur the node’s main capability block, in C6 giving 
alrcans to at blocks ae the node. 


This tmohes a departure from the conventional method 
of jandling interrupts, in that the interrupt signal must produce 
2 avstem reaction, which can be handled by any processor, rather 
‘nz connected to individual ncocessors, interrupts are 
e nandled via the sturage system. 

Ali processors and input/output channels have access to 


mr store Known as tne system interrupt word, cach pro- 


visser rafersaces this word by means of the special capabibtry 


ee fib) very DCO gs tor any suitable period defined tor 
eee ky Abert the Procaor eucomatiaihy Stns at Ure Cl of 
i? werent vstructina ind carcreaboutipciecs for uitercine 


Nee Tis is Witsirated 1a Ps 





Pie.&d Capability Network 





UW. 





m ; | 
ie imarruol word } 


5, or nnennendiemnanrnetnaseeememnenmnenanemeameemne | 
\ “Mask word : 
i 

Ener to interrupt bioci| 


One Dit per Processor 
ae and per 1/0 channel 


System jntarrupt word 
23 7t 0 


Interrupt accept registar 
23 765 


ee 


Trap accepted 


Correlation count of 
System intarrup! word 





Lr a) 











Using soecial capability register CON) the processor 

fetehes Vie Lautorrepi Mask VWord. Using special capability 

re ae . At. the peocessor fetches the System Interrupt Vrord 
Sf pe ld teehs the store module to prevent rhe processors 

ir the SOY ts Zero 


those bits of the SUY Tor 


vaitan the 


tercytirpted. Qih Wi se, 


POPU ohm POMS ESCLSs, 


2 Corresponding bits 7 tne Mask Word ar 
cupigd bite an iaternal reyvisier. The value in ine mmiernal 


roaister is fan corrchiied, Le., a coretution count ts pro- 


2 first 
count is placed in pits @ - 5 of the 
Neosier, and the selected pilin tne ite 
henpew contents of tne inie 

inio cne SYIW location end the sture is 
3 to reset tne 


duced which Jetines the pusition in the SOY of ta 
iectiiee ane. aad this c¢ 
nal; revister 
mal revister are Caen 
unlocked. 
TASTE SI ae nificant 
the Sysiem Interrupt Word and to define its 
oe by placing a correlation count in ine 
_ This count is used by the HN to 


generating the infemmupt, which may bea 
> oe. 
iz 


3 


The eftect of this ate 


oe oran VO Chaunel. In effect this means inat the 
tem 250 is noi interrupt Criven in the conventional sens 
ut/Curput opera ve ns are controved bY 2 poling action 
CPG samiinier ae are only used for such purposes 
cating ihe end of a drum or disc transfer, tor exumpie. 


a) o 


uf ’ 
oh any im 


ed 


Drotection 


a 





In Svstem 2350, maior reliance is placed on the capad) 
itv mechanism to detect errors and to provice the basis 
5 tu Jtis therefore essential that : 
maTinin itsed? should be secure. eo Drotector 
built into the processor fo ensure thls secucily 
Loading of capabilities is carried ot froin a system 

i 2 System Capability Punic. A sum check ward 
s held in the System Capability T able, ‘ich is the arlenmelic 
f the boise und Hinvit values, rishi circulated bv 9 oits. Fits 
Pasa check suatust store faults a corruption 5 ihe stor- 
ming tre tabie. 


oo 
~ 


& 
al 
oe 
=o 


is 
wge area canta 
te circutation of the sumecheck ensures thai bit failures 
on the data nacis into the provessor veil be eee asi 
chacen fa Ee, {¢% ne: aso be noted thatany single bi 
in tne store addressing raechanism will aiso cyenerate 4 
ywwstem EC eabiity Table is i 
mavhet arrangement Capability wore 
aed purtty, Parity ts 


checked on foacing and also whenever a capability 


t 
store and the reeistars as 24 bit words 


| 
ia") 
2 
Uv: 
er 
Vv 
om 
- 


ae tisase. The c circultry 


of the capability registers, 
116 bit MSI packages is arranged 30 that 


eat unifso that 
id O2se hit ee confirms comect ats at of tne arttn- 
soe in tne svstem, 
bewztius to 


eS Invorves ihe arti cumetic 
mC 


Lace 


metic unit. Parity checking is used on all tra 


the processor b 


2 4 +t, ~ 7 r “\er 7. 
cengrate urlly in pa eee witht this transfer. At the Store Access 
Unit, pavity is aiso eenerated and returned on the ee chee 


sssor dia parallel with te store acesss cycle. Tre 


pee Spt Bary CWS Ihe Obits Gt 
opacity Comdition which is Gdd parity over the 2-4 01s Gt - 


t 

~ re v % a 2 . } . ee A 7 ee | iy ° 
aebdress in stored ia bota tae processor ind Cre store 2ccess Orb 
Wiiea ad, ety weardag transferred tu tae share ine processor Sean 


ei abo datasvard snd 


: are Oe ee Fee rae ee 
ui OE EN Se PP OE 2 PS CSI 


= 
' i t ext} sh \ ocr ne fs PEN yeh RG ae, pte 
eee Peer nae SAE DE ES A COs eS te 
‘ ae elgae | ~~\+ 1 oa atin 
Noes : ele: ECE eee eee ee ea ray Gh tee he SEs rae 
is * : 
i yr sect ated tele taatey Pe Dh 
[-Pts Note SES ae a Pee ep ae Eee Senet t eee ber) sare bee 
e a 
* ee t ' ‘ 
tert orc ee AGO 


renerate a Repel itv violation condition, 


Pa 


16 


The state of tne parity check wire is Cunypared at the 


processor with the parity venerated locally a ind if accomuartson 


failure ty detected, the fauli micro-sequencs is entered tmineddi- 
ately. The cocapartson oceurs at Address oe on bot READ 

and ULE = Ge ind at Data Accept time on WRITE 
Operations, This seneme ensures Gait parity eeneration and de- 


t 


SSDT TO that any oie ott failure in 
2 ee NE a ction logic in tne ie r2 is Cetected. 


cof other deta 


da min Qa 


ensure ior 24a ean the continuity of the capability address high- 
way, but space does not alow u full description. 


> 
9 summarize, the capability mechanism 3s protected ta 
t loading from ihe Seca. address to the hardware 
register, $f nb tity of tae daia during iis lite in the register and 
t operation of the register whenever the capability is 


ry 


+} 


iscussion of the actions which occur when any 
atection mechanism are activated ts relevant at this 
When any failure occurs the current. process 15 | , 
immedciaiely interrupted and KESET command sent to store. The 
processor then attempis to run a faull check sequence under the 
controt of ectal Bound resister Cs. which allows access toa 
special hmited area of store coniaining the necessary parameters, 
A ne sheck-out program is used to attempt to confirm the 
correct overatinn pof the processor. fF, during this sequence, a 
t} 


fault is encountered, the nuinber of the module in special capab- 
Hity revisie ae yis incremented by 1. Each store module has a 
speciat block ve ais cessor in corresnoncding locations, so that 
(he parameters cetined by C (5) are now ioaded froin a new sture 


module and the process is re-atiempied. Taus a orocessor which 


isin face faulty can never return to system. ‘OF completion of a 
satisfictory caeck-out the action taken is system dependent. As 


le processor will inforra the supervisar and 
; stem operation ir 


controled manner 

Onee the validity of the a abinty check is secured, the 
capability olfers significant advanizzes in many areas of the 
system. Not least of these is the ability to constrain the junctions 
of new modules. in both hardware and software, whica are added 


to ine system. The new modules can be tesied with no a 
damazing (ae oneration of the etisiiay camloment. Thus & 
capability conce fies a sivatficant contribution to a 
lem of expansion of a working system, the solution of which is 
vital in ihe telephone exchange eavironment. 


Construction 


ssor Unitand Store Access Unit are 
constructed using dual in-line IC packages mounted on 4 aver 
nrinted circuit Doards measuring 190« la3mm. The two outer 
layers carry circuit tracks and the two inner layers ave ground 
and vol anes respectively, ? used are predominantiy 
Texas 74H series, but other pacxsz } 2 areas, for 
exurmpie, (re canability se ee wh uo utiitse 16 bir Sisiseraten 
pad puckases. Maximum package deasity per board 1s 42. 
The boards plug into ¢ srs WITCH are mounied in 
peed Clrouit backol mach shelf can 
CArTY ae and ie SAU 
ultilaver con- 


The Central Proce 


fave pt ackaes 


"ONE CIS 


anes ussemmbled ia to a shelf. 


te 
33 boards. 


oper’ 
g tn as 
Biin 


1 Oe eRe ee 
PUY comprises iw Sire 
One Sele Tre hackoines chemselves COMGTIISS ban 


ba wets . eet A 4, iJ 
foverin the case oF tie COL 


rd vee rer in {G2 cise 


“ Pee 200 
Ss Tecetonp to 7 

-7 . . . -gre 7 . ° YY 4 ° a. * cas ae s 
of the SAL Phe score currentiy taause tia 32K 25 hit plated 


$ Sih yes eg eee ae ee rare a 2 
Roayips 25G us cyele Gore and rsell utilises stmhae cone 


ete lig 


a are i ae 
whet 


as Perr : Lose sbeg yt. toe > 
Kieu lta Ise EMSS eeceps feat tilie ADRS Is vO)+ 














- wee, eo ed ir ‘4 hy we oF 
oe eT Sg gS EROS > ae 









employed. Fig. 9 indicate. cae assembly. Fix. 10 shows a view : 
of the equipment ina module environment ncerpurating specia! 
test sets. we 


Conclusions ae 





oe mary nam th yp tt | 


















While not exhaustive, itis hoped that this paper. in con- wa ae ar ‘ 
Junction With tie two previous papers. has indicated the arinci- 3 i Se aes 3; . 
ples of the System 250 approach, with its method of deatine ae Poe oe fj - if 
with tae problems of & multi-processor caviroamient, which ts me Pa ns 
considered to offer improved fucilities over previously available a sees 
hardware, 4 ee 

a fhiwES ee ane Peres ee Lea Re td waite” PASE eh ta AR eee a SS 
Acknowledgement | ; 7 


1 would like to thank the many colleagues on whose | 
works this paper is based and che Directors of the Plessey Com- a" 
pany for permissicn to publish it. " 















ree ee 
1 ee 
+ 


se 









SORE or wey re eee ee 
ce : oer eee 






Pet. we 








ee Oa eee a 
“ 03$ pena a: meer et 
fewest 2S TA 


* 
ay 


CORALS Set cone meee aid 





3 
Z 


ores 2. i Seeee Sheen 





Se BP Si BEE ty 






SN aw = 4 a 






 , Sen. ee eT! 






SLi; eras timo: 
Cosa 21 Se ee 
8 ee a. et 


Ce ee ee eS en) 
[ee oe a otis 
tM 
2 ET OT er eee 


















(ers Od eo ee i 
SE et Ti Ot un Lae 












ui 
+ Sept wee New ne“ ietapeeeee ta Site pak mee son li -ne we eae yy is 






ALUN wet eo etree 
—Z 





4 








Shue lad “Ssh saath f Ae 





















ms te 
ae ede BAL tee REDE ey ethaty Sp 7 
ee Se ee: ee - = 
neh Oe we HL ERED 2 & 7 fers bso Loom ane 
ean aa cep TREY —— CNG OLA ALE, 
vat a 
: f 
{. 
. 
- r 
aero 
Se eeeanernen te enn na enentemnaeeerermaemseeen et a * oS 
a : , oe € 
; ° tern nnbne- owt & ¥ o3 
e < .4 i 
s 
‘J 
- shoe 
fee > Be 
oe 4 
. : ‘4 ia 
4 a ie 
- ~< 4 
: ? | 8 
7 
5 eal 2 
> , ° 


2 —— 
-_~ 
_— ew os 
one gan ees 
oa ee sae oe 
* weet ast 
~~ ente “te Fs 
x - - S a's 
. cae . -_ = 
- f ye oe 
Sate es 7 ? “g yh 
re + “ag J a 
. en wens Pees 
Paes ee 


17 











TELEPHONE SWITCHING BASED ON SYSTEM 250 


W.A.C. Heminings 


Plessey Company Limited, 
Liverpool, Eneland. 


Abstract 


Companion papers describe the requirements of a communi- 
cations control system and give details of the hardware and 
software of Svstem 250 tor this application. This paper shows 
how System 250 js applied to telephone switching. 

The telephone systern so organised is modular and is capable of 
assembly to produce offices of various types and sizes. Whilst 
initially only autonomous offices may be needed, the system 
can grow to form networks based on the concept of a pro- 
cessing centre controlling a nuinber of switching untts, some or 
all of which may be remote from the processing centre. 


a The Overlay Concept 


This paper is based on the ‘Overlay’ and Network Con- 
trol concepts described in a companion paper and being con- 
sidered for the continued development of networks such as 
that of the British Post Office (B.P.O.). These concepts cover 
all requirements from autonomous offices to full network con- 
trol by Processing Centres. 

It is proposed that the new network might be super- 
imposed on the existing network, all new demands for service 
being met from the new network. Figure | shows the existing 
network indicated by the squares: the smaller squares are in- 
dividual exchanges and they are shown linked star fashion to a 
Resional Office. The circles represent the new network, the 
smaller ones being remote units operated via data links to the 
Processing Centre. The main connection between the two net- 
works ts shown between the Regional Office (R.O.) and the 
Processing Cenire. It is possible to nave interconnections at a 
lower level than the R.O.; this would depend upon the loca 
community of interest. Such an arrangement has several advan- 
taves over other methods of working and these are described in 
a companion paper. 


Ifa) Implementation of the Overlay Concept 


In order to implement the ‘overlay’ concept, we are 
developing a series of modular units froin which the system 1s 
built, each of the modular units betng themselves built from a 
number of standardised sub-systems. 

Figure 2 shows a typical existing hierarchical structure 
comprising Revional Office, district ofmces, Local Offices ete. 
side by side with the new equipment, Tiree units are shown, 
the Main Switching Office (M.S.0.), Subscriber Switching 
Orfice (S.S.O.pand 8.8.0. Concentrator, The MISO cambines 


18 


the features of the District Office and the Manual Board together 
with transit facilities normally available at a District Office. The 
SSO is the equivalent of a District or Local Office and can operate 
ina similar manner. The SSO concentrator is really a remote 
switching unit based on a parent SSO. 

These Switching Units are controlled by the processing 
centre Pl. the various units being coupled to the processing 
centre by control data links. The units controlled by a single pro- 
cessing centre together with the processing centre itself can for 
convenience be called a control area. 

The processing centres of all control areas are able to 
interwork by means of an inter-processing centre, data link 
system. 


1.(b)  Sub-systems 


Figure 3 shows the component parts of the two S.S.O._ 
shown in the previous diagram, These component parts are 
standard sub-systems and all switching units can be assembled 
from a relatively few types of the standard sub-systems. The 
folowing sub-systems are shown: 

1. Subscribers Sub-System (SS) whose main function 
is to handle all subscriber activities such as calling 
line detection, ringing, supervision and so on. 
Transit Sub-System (TS) which provides a low loss 
interconnection point for all the traffic offered to 
it. 

3. Interface Sub-Svstem (IFS) which provides a com- 
plete signalling and switching interface between 
junctions to and from the existing network. 

These sub-systems are partly hardware and partly soft- 
ware; the sub-division ts illustrated in Figure 4. The upper half 
of the diagram shows the hardware which performs the physical 
connections and functions. The lower half indicates the software 
part that resides in the control complex: also shown is a soft- 
ware activity named ‘call control’ which handles the software 
packages associated with each sub-system via standard sub-system 
control interfaces. 

The hardware of each sub-system comprises many ifems 
which are interconnected, and each of these devices is controlled 
in software by a ‘handler’ package. Some devices such as 
markers or auxiliary circuits may be common to more than one 
sub-system. In these cases the complete function (hardware & 
software) is ‘loaned’ ona temporary basis to the sub-system re- 
quiring service. The allocation of ausitary circuits is such that the 
sub-system does not know if the service if gets 1s exclusive or 
shared. 


i) 


Figure 5 shows the Subscriber Sub-System divided into 
its Component parts:- 
(1) Subscriber line circuits and handler (SLC) — Subscriber 





calling conditio: 
(ii) Subscriber Concentrator Switch (SCS). This is a three 


stage reed relay space switch catering for a maximum of 
about 80 erlangs of bothway subscriber traffic. It is con- 


trolled by a marker and its marker handler both of 


which are in turn controlled by the subscriber concen- 
trator switch handler, whose function is to operate ona 
software map which contains a record of the complete 
state of the switch. Tins map-in-software technique will 


be menttoned again later. 


(itt) Supervisory relay sets (SUP) are provided at the inter- 


face to the Transit Sub-System, their function is to de- 
tect subscriber cleardown signals and to isolate the DC 


requirement of the subscribers’ lines from the rest of 
the system. It also provides an access pomt for 
auxiliary circuits. 


Auxiliary circuits are associated with supervisory relay 


sets viaan Auxiliary Access Switch (AAS) which may be con- 


trolied by the same marker as the SCS; the marker in this case 


is controlled by the AAS handler using the map-in-software 
techniques already mentioned. 

The auxiliary circuits required for the subscriber sub- 
system include the following:- 


(1) Digit receivers. 

(11) Tone senders for Ring Tone, Busy Tone etc. 

(tii) Ringing current senders. 

(iv) Coin control devices for controlling pay station calls. 
(v) Transmission test tone sender/receiver for testing trans- 


raission paths prior to switching through, 

All the above auxiliary circuits and iheir handlers are 
controlled by the S.S. control which tn turn is controlled by 
call control. The interface Sub-System, which is generally 


similar in concept to the Subscribers Sub-Svstem, is designed to 


interworx with all types of junctions with whicn the new and 


existing network will be interconnected. Auxiliary circuits, such 
as Senders and Receivers, will depend upon the sisnaihing con- 


Gitions required. 


The Transit Sub-System is, as mentioned earlier, simple 
in concept and coinprises either a software controled analogue 
switch or a software controlled digital switch, capable of inter- 
connecting other sub-systems. Software control again uses the 


miap-in-software technique. Different switch designs will be 
necessary to cater for tne various situations where tne transit 
sub-system will be empioved within the network. 


l(c) Callset up through Sub-Svstems 


Figure 6 depicts a typical subscriber-to-subscriber call 
progressing through the sub-systems so far mentioned. 
a) SLC} detects a calling condition. 


b) Path 1 is set via SUPL and AAS to DR. DR returns dial 


tone and collects diatts. 
c) If the called subscriber is not busy, path 2 is set from 


R/S!) via SUP1, TS. SUP2 to R/S2. A test tone is then 


sent in each direction in turn to prove the path. 
d) Path 3 is then set giving ring current to the cailed sub- 
scriber and ring tone to the calling subscriber. 


% 
— 


pleted through SUPI and SUP2, all auxilary devices 


beinw released progressively as their tasks are completed. 


t) SUP] and SUP2 detect their respective subscribers 
clearing and terminate the call. 


to 


The Processing Cuinplex and the Processor Utility 


The processing complex is the Communication Control 


When answer is detected by RC, the speech path is com- 


19 


System 250 described in companion papers. As far as the design 
of the telephone switching modules are concerned, the pro- 
cessing complex has been regarded as a ‘utility’ in which we need 
to consider only what it does, rather than how it does it. Such a 
‘processor utility’ forms a secure and defined environment in 
which application processes may run. 


2.(a) Peripheral Data Transfer “Utility” (See Fig. 7) 


The mediuin for the transfer of serial data is a two stage 
data switch. The primary stage, which is assoctated with the pro- 
cessor utility, has up to 64 ports with balanced line drivers for 
distribution within an exchange. The secondary switch is asso- 
ciated with the periphery and has a present maximum of 16 ports 
and unbalanced drivers. On outgoing messages each switching 
stage uses part of the address section of the message to select its 
output port. Similarly on incoming messages each stage appends 
its port address. ; 

To check the messages outgoing from the processor 
utility an identifying check code is wired into each pertpheral 
connected to the serial medium: this check code is transmitted 
with each message intended fer the peripheral. Comparison of 
the received check code with the allocated code at each peri- 
pheral confirms that the message has arrived at the correct 
destination. 

The check code is also added to incoming messages 45 a 
further check on the integrity of the data transfer arrangements; 
all paths between the processor utility and the peripherals are — 
duplicated. The whole of the data transfer arrangements is re- 
garded as a further ‘utility’, referred to as the Peripheral Data 
Transfer Utility. 


2.4b) Scanners and Distributors 


Beyond the secondary data switch, which is associated 
with the perioheral, are scanners and distributors for data 
collection and distribution. Two modes of reporting from the 
scanners are used: exception mode in which a report is made 
only when an input has changed, or response mode which re- 
ports on command. This method of working considerably re- 
duces the number of repurts, compared with a scanning 
technique in which the state of each input is reported on every 
scanning cycle. In order to simplify scanner hardware and to 
preserve a standard message format, it is arranged that when a 
message needs to be sent, the report wili consist of a complete 
scan field and not an individual input. A standard design has 

zen produced which caters for both modes of scanning with 
minimal hardware and software changes. 

The basic function of the distributor is fo convert sertal 
data arriving in messages from control to a staticised parallel 
format to drive peripheral devices. Check codes are used fo check 
the integrity of messages; an incorrect check code causes the 
distributor to ignor all further information. 

Normally. security is achieved in both the scanners and 
distributors by including these functions in security blocks, that 
is sections of equipment within which a failure would have only 
a limited effect on system performance. However, in case of the 
scanners, duplication or N+1 security techniques can be used 
where advantageous, such as in the case of small offices. 


2(c) Line Circuit & Switchblock 


The subseribers line circuit, not illustrated, has an elec- 
tronic loop detector and uses a reed relay to isolate the loop 
detector so as tu reduce crosstalk and give better testing 
facilities. 

Ficure & shows the subscribers’ concentrator switch 
which consists of three linked stages A, B and C using reed relay 











matrices. To cater for various subscriber caliing rates, three 
methods of adjusting the concentration ratio are provided:- 


(i) Varying the multiple of A units on the A-B links. 
(11) Varying the number of AB networks on the BC links. 
(iti) Sub-equipping the A units. 


The present design represents an opiimum between cross- 
point minimisation, ease of extension, production costs and 
maintainability and has been confirmed by computer simulation 
techniques. 
24d) Marker 

The switch network is controlied by a marker, a hard- 
ware device controtled by a software marker handler within the 
processor utility. The current state of the network is contained 


within a software ‘map’. Information in the map is used to effect 
path choice and appropriate instructions are passed to the 


marker via the marker handler in order (o set up the chosen path, 


The marker operates in three modes 

To set up paths. 

To release patns. 

To inspect and report on the busy/free condition of 
selected links. 

To obtain adequate security the marker is duplicated. To 
prevent a switch network fault from disabiing both markers, 

is arranged that the switch network is divided into sections 
which can be isviated from the marker. 


w= 


2.(e) Equipment Lavout 


Before contiuding this brief review of the telephone 
hardware I would like to mention equipment layout and equiv- 
ment practice. A new equipment practice has been developed 
for automated production having metric dimensions. Racks are 
single sided, are available in modular sizes allowing four heigats, 
three widths and three depths, and nave been designed either to 
stand as individual racks or be incorporated into suites of racks. 
Normal arrangements are made for providing telephone power 
supplies, fused AC outlets and other services, and blowers can be 
incorporated as required. Removable covers are provided at the 
rear of the racks. 

Of tne four heizhts of rack available, that proposed for 
telephone switching applications is 3198 inm high, being the 
metric equivalent of the current B.P.O. standard rack (10 fi. 

6 tn.). ; 
Three modular standard rack widths are available, 600, 
900 and 1150 mm. One of these, 11506 mm, will be used for ail 
main analogue switching racks. 

Shelf height can be chosen in 52.5 mm modular steps, 
the maximum height proposed being 285.5 mm. Unit width may 
vary from 25 inm to 150 mm in 25 mm modules. Typicaily, 
crosspoint relays and relay sets mounting comparatively large 
components such as relays and transformers require 75 mm 
units. Electronic units, ie. Markers, Scanners, etc., are normally 
mounted on 25 mm or 50 mm units. Units of 75 mm or larger 
are available to mount special requiremenis such as power 
supply converters etc. 


3. Software Struc 
34a) 


ture for Telecommunications Control 
Application Software 

Referring again to figure 4, each sub-system has a hard- 
ware part and a software part; the software handlers interface 
to an overall handler called ‘call controi’. The interface between 
the individual hundiers and call control 3s standardised to eaahle 
ench part of the application software to be separately dealt with 
as modules, and to allow modules to be added, deleted or 


modi ified without affecting other modules. 

he environment in which the application software runs 
is the processor utihty which in any given circumstances will con- 
sist of a particular combination of many different pieces of hard- 
ware. Phe amount of equioment supplied is determined mainly 
by the traffic handling requirements of the processor utility; 
many of the individual tasks to be performed, however, are inde- 
pendent of both the particular configuration and the traffic load. 


3.(b) Peripheral Handling 


Perigherals are usualiy vader control of a software peri- 
pheral handler package which within the system is responsible 
for establishing communication with the device, checking its 
staius and sending all contro] signals necessary to perform the 
transfer. The Feripneral Handler is aiso able to deal with fault 
conditions in the peripheral and where appropriate attempi to 
repeat the transfer. 

Not all peripherals come directly under the Peripheral 
Handler. Some peripnerals are not shared and belong 
permanently to one application — for example a Marker. In this 
case operation of the peripheral is controlled by a package in the 
Application Suite, and only this package need have detailed 
knowledge of the characteristics and control of the device. All 
messages to and from the peripheral will be handled by the Peri- 
pheral Handier in order to ensure proper control and use of the 
data highways. 

3.(c) 


Fault Security Routines 


A fault monitor is provided which counts error reports 
from difierent packages and calls for rile Audits. If the number 
of faults detected by the file audit routine becornes excessive 
then reference is made to 3 higher leveij routine which is part of 
the Operating System. 

The fault security routines in the first instance initiate a 
reload of the applications read-only areas, and instruct the 
application to reconstruct or re-validaie its read-write areas. The 
reload is performed from a second copy, maintained by the 
system. 

Should errors still persist, a general system test and re- 
start is initiated. A complete cycle of test programs 1s run, in- 
cluding such ifems as processor checkout, store tests and 
functional tests. Any faulty items should now be discovered and 
switched out of the system. The ee is now instructed to 
revalidate or reconstruct the read-write areas again. 

The next stage of error oe is system reload, when 
all programs aad read-only areas of the system are reloaded and 
the lower level procedures are repeated. Finaily, should any 
fault still persist, a trial reconfiguration ts attempted, the various 
mcdules are then effectively switched out in turn until the error 
source is removed. 


3.(d) Structure of the Application Program Suite 
As mentioned nreviously each of the sub-systems com- 
prise both hardware and software; the software functions are 
made up of one or more program packages, a package being re- 
garded as a collection of blocks of code or data functionally 
independent and sharing a common Cupability Pointer Tabie, The 
Capability mechanism is explained in a companion paper and 
will not be dealt with further here. 
Ina typical packave structure, packages sub-divide into a 
number of function-criented blocks:- 
Normal Operation Code 
Capability Pointers (which point indirectly to areas of 
store or other resources that need to 
be accessed) 








Fault Messages 

Package Restart Code 

File Audit Code 

Device Test Code 

Private Files 

The four code blocks all have separate entry and exit 
and each may call the Fault Monitor as a sub-routine. 


3.4c) Fault Monitor 


The fault monitor is responsible for all resources which 
the application has sole use of; the remainder are the responsi- 
bility of the ‘System Fault Handler’ within the Operating 
System. Program code, Gata, telephone hardware sub-systems 
are allin the Application category, whereas the stores holding 
the code and data, and the CPU’s are in the System category. 

Faults are detected by failure to complete a sequence, 
by data consistency checks, by built in hardware checks and by 
routining. Faults are logged against resources and a fault count 
built up. The various resources are graded into a resource nier- 
archy in which Suite files are Primary resources; Secondary re- 
sources include Package code blocks, Tertiary resources include 
Auxiliary circuits, Supervisory relay sets and so on. 

When the fault count on a primary resource exceeds a 
pre-set value, a request is made to the System Fault Handler to 
test the system and reconfigure if necessary. Overflow on secon- 
dary and tertiary resource fault counts are used to detect and 
put out of service faulty items, such as relay sets, which do not 
cause the entire system to fail. The fault count information ts 
also used as a pointer to the application of further routining and 
diagnostic processes. 


3.(f) Interaction within the Application Suite 

In an ideal situation the requirements of a subscriber 
making a call would be treated as a single dedicated transaction. 
This ideal situation cannot be met because of the volume of 
traffic to be handled and the slow rate at which data pertaining 
to a single call becomes available in relation to the speed of the 
system. Furthermore, the desired modularity of the telephone 
sub-system requires generally agreed interfaces which act as 
natural boundaries (sub-system functions communicate with 
Cali Control via a standardised interface to allow a modular 
programming approach). This imphes that in order to satisfy a 
service request separate processes are required in the sub-system 
function and the Call contro) function. Requests for service 
generally originate in a sub-system and so create a process in the 
sub-system suite. The latter is a collection of Peripheral 
Handlers co-ordinated by a sub-system contro] package; the sub- 
system functions, whilst being intimately familiar with the sub- 
system characieristics such as the trunking pattern, relay re- 
sponse time, equipment availability, etc., co not have any know- 
lodge of the service requested. The Cail Control function deter- 
mines the service to be provided and in what manner, purely by 
requesting the sub-system suite to execute some standard func- 
tions. Tre process active in the sub-system suite will determine 
that a seizure has occurred and acknowledge this seizure to the 
Call Control. 


3.(g) Map-in-slemory 

I would now hike to return to the subject of switchblock 
mapping and its integrity: our system uses a software map of 
the switchblock links. All path choices are made from this map, 
which means that path search and choice criteria, much too 
complex to reaise ia hardware, can be used. This leads to more 
efficient use of crosspuints, and junctions in the case of wide 
area control systems such as the ‘overlay’ concept. 


2) 


In considering a software ‘map’ approach to path choice, 
care must be taken to prevent divergence between the state of 
the map and the state of the actual hardware. It can be expected 
that divergencies will occur: appropriate safeguards must there- 
fure be built into the system to detect and eliminate any such 
occurrences. This ts best done by the requirement that the 
norma} traffic activity should provide a feed of information to 
the map which is suificient to guarantee that the state of the 
map and that of the switchblock will converge. Such an arrange- 
ment will cover minor faults: by deliberate ruutining activity on 
similar lines, rapid recovery can be made from even major fault 
conditions with the loss of very few of the calls concerned. 

Our marker is arranged so that it inspects four switch- 
block inlets whenever it wishes to set or release a path which 
uses any of the four. The state of each inlet is checked against 
the map. If the marker should set up an incorrect path it may 
have used the correct switch inlet — if so the map will be correct 
again when the call clears. If it used the wrong inlet (and it was 
not trapped at this state because it picked one already busy), 
then two switch inlets in the map will be disagreeing with the 
hardware state. The busy inlet which is shown as free in the map 
will be freed when the call terminates. (This should not take 
long since this call can be expected to fail). The free inlet which 
is shown as busy in the map will be discovered when an adjacent 
inlet is selected for a subsequent cail. 

If the complete map should be lost due to store failure, 
anew map can be compiled from individual call records. These 
list the switchblock links used by all calls in progress. It would 
take several seconds to generate a new map. 

An audit routine, based on constructing a new map and 
comparing it with the one in use, is used as a further check of 
map integrity; this only occurs on a small section of the map at 
a time in order to cause minimum disturbance, since calls could 
not be set up or cleared during the audit without excessively 
complicating the audit routines. 


4. Acknowleczement 


I should like to thank my colleagues upon whose work 
this paper is based and the Directors of the Plessev Company 
for permission to make this information available. 








C) ge Cy INTER CONTROL AREA ROUTE anual Board 
so Inter Control 


Area 
Cata Link 







Misc alanzous 
Terminabon 









LES a, HARDWARE 
| Pager y SOFTWARE 
Cine =, O | . 
_ Standard [ss] 
pend , Existing Subsystem Control- -_, 4 ; 


; Interiaces 
inne C) Overiay Network 






CALL CONTROL 


FIG. 1 ‘OVERLAY’ NETWORK CONCEPT FIG. 4 SUB-SYSTEM HARDWARE & SOFTWARE DIVISION 


18/D} Scanner/Distributor 


HARCWARE 


SOFTWARE - 









i: 
i 









FIG. 2 EXISTING AND NEW CONFIGURATIONS Eee Sees year Cenc! 


Pa 


” E 
Standard °SS' Control Interface 
} SSO. 
§ 


FIG. 5 SUBSCRIBER SUB-SYSTEM ELEMENTS 





Calling 
Sub. 
$5.0. 
Concentrator 
Type 
FiG. 3) SUBSCRIBER SWITCHING OFFICE, SUB-SYSTEMS FIG. 6 SUB TO SUB CALL 













CFU's 
STORES 
etc 





Parauel “ata Data 
uch Switch 


Sarial i ( ‘er 
Intarface | 
Serial Primary Sscondary Unit , aj 
= { 






Distribatoe 


SiU 


—> 





-_em mm om oF me ow ae 


be ee SS ee ee ee eee Mee ks aes ee eee i 
Terminations 120 Circuits 
A . 5 Cc toTS 
pe SSS ee 1 SSS ee _ 
{ 
| 
Vv 





! 
i 
| 
Peripheral Data Transfer Utility ok : Pariprerals 


H | ‘ ) 

| px 4 7 | 

FIG. 7 PERIPHERAL DATA TRANSFER UTILIVY | _ Bie | 
t I 

"Lee Sr 


! 

t 

| 
Processing 
utuiry I 


FIG. 8 SUBSCRIBERS CONCENTRATOR SWITCH 








